Description
In some cases when only limited external bandwidth is available, customer needs to apply traffic shaping and priority to make sure critical applications or subnets receive more resources than non-critical ones.
Solution
The following use case was created to test the configuration of 2 different traffic shaping policies on a Fortigate firewall. The wan interface was limited to only 1 Mb while both physical LAN interfaces were left on the default available on the Fortigate.
In some cases when only limited external bandwidth is available, customer needs to apply traffic shaping and priority to make sure critical applications or subnets receive more resources than non-critical ones.
Solution
The following use case was created to test the configuration of 2 different traffic shaping policies on a Fortigate firewall. The wan interface was limited to only 1 Mb while both physical LAN interfaces were left on the default available on the Fortigate.
The policies were tested with simultaneous FTP file downloads that has the potential to fully utilise the available bandwidth.
SNMP server was used to monitor the link utilisation of all the 3 interfaces at the same time and graph the result.
The Fortigate has the following configuration (showing only the relevant part).
config system interfaceedit "wan1"
set ip 10.1.1.1 255.255.255.0
set type physical
set inbandwidth 1024
set outbandwidth 1024
next
edit "internal1"
set ip 20.1.1.1 255.255.255.0
set allowaccess https ssh snmp
set type physical
next
edit "internal5"
set ip 30.1.1.1 255.255.255.0
set allowaccess ping
set type physical
next
end
config firewall shaper traffic-shaper
edit "client-guarantee-800kbps-high"
set guaranteed-bandwidth 800
set maximum-bandwidth 1024
set per-policy enable
next
edit "crew-guarantee-400-medium"
set guaranteed-bandwidth 200
set maximum-bandwidth 1024
set priority medium
next
end
config firewall policy
edit 1
set srcintf "internal1"
set dstintf "wan1"
set srcaddr "client-10.1.1.0/24"
set dstaddr "all"
set action accept
set schedule "always"
set service "FTP_GET"
set logtraffic all
set traffic-shaper "client-guarantee-800kbps-high"
set nat enable
next
edit 2
set srcintf "internal5"
set dstintf "wan1"
set srcaddr "crew-20.2.2.0/24"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
set traffic-shaper "crew-guarantee-400-medium"
set nat enable
next
end
The following chart displays the utilization of the WAN link during the upload/download test. The link was fully utilised all the time, regardless of which internal link was used or the direction of the traffic.
The next charts display the link utilisation via both LAN ports internal1 (client) and internal5 (crew) while the FTP downloads were running either simultaneously on both LAN networks or was stopped on the different subnets.
The following events took place on the 2 links that are marked with the text boxes.
1. Started the FTP download on both of the links and the traffic-shaping policies kicked in. The download was started first by a few minutes on the client link, the default priority 0 (High) was assigned to the traffic and the download could use the full 1 Mb link speed.
When the download started on the crew link, both of them automatically were shaped to the configured value.
2. Downloading was stopped on the crew network and again the client network could use the 1 Mb external bandwidth until the download was restarted again.
The high-priority sessions were already running on the client-link, and as the result they took priority over the crew download and that subnet could only use the guaranteed limit (200 kbps).
3. FTP was stopped on the client link. The crew could access more bandwidth as only casual web browsing, etc. was happening on the client link.
The crew could push the link usage up to 500 kbps until the FTP session was restarted again.
4. When the FTP session was restarted on the client link, the shaping policy kicked in again to allocate the guaranteed 800 kps limit to the requests.
The rest of the requests on the medium-priority crew link was shaped back.
5. Download finished on the high-priority client-link and the download on the medium-priorty link could have more bandwidth again.
The article shows how the Fortigate firewall dynamically allocates the available bandwidth, based on the traffic shaping and priority configuration and network utilisation.
Supporting documentation
For more information on Traffic Shaping and priority configuration, refer to the following documents on the Fortinet Document Library web site:
- FortiOS 5.0 or 5.2 Handbook.
- FortiOS Traffic Shaping guide.
